In present day communications networks there is a significant requirement that security issues, including unwanted intrusions from rogue attackers, be fully addressed. To this end considerable effort is being, and has been, devoted to finding ways of preventing unwanted attacks by malicious and ingenious hackers. Typically, as new solutions are introduced, attackers find ways of counteracting them.
Enterprise, Wireless Local Area Network (WLAN) security, in particular, is a very serious concern, considering that false-base station attacks can be carried out from unsuspecting locations such as parking-lots and from the curb-side. It is generally accepted that large-scale adoption of WLAN will happen only if robust and simple security mechanisms against such attacks are implemented. Mobile and wireless manufactures have been trying with varying degrees of success to promote Enterprise WLAN adoption but current figures suggest that only 25% of Corporate users trust the security offered by WLAN in enterprise environments. The present invention provides security solutions which are not limited to Corporate environments, but can be used in the home and home offices as well.
One prior art solution provides for Mutual Authentication between Access Points and Mobile/Wireless devices using the IEEE 802.11i standards. In this prior art solution the Authentication Phase is performed after the Discovery Phase and the Association Phase are implemented. The connection is established first and then Authentication is performed. The Mobile device is authenticated by means of an Authentication Server (generally a Radius Server) located in the home network using the Identity of the Mobile. The Authentication Server is also mutually authenticated by the mobile and, since the Access Point that performs access control in the WLAN network that may be controlled by the same Operator is trusted by the home operator, it is therefore trusted by the Authentication Server using prior Security established with the Access Point.
Generally, the prior art focuses effort on connectivity to any AP for WLAN service but the present solution focuses only on APs that are of interest to the Mobile/Wireless devices.
The prior art solutions require quite a bit of messaging before trust is established between the mobile and the Access Points (hereafter referred to as AP). In short, the authenticity of an AP is not established until the Authentication Phase, which happens after the Probe Exchange, the Beacon messages are sent and the Association Phase. During these message exchanges an Access Point can send malicious management messages which can be used to consume radio and battery resources resulting in a Denial-of-Service scenario. Genuine APs sending beacon frames but which are of no interest to a particular mobile client are processed even though they are not from an AP of interest which again consumes valuable computing/battery resources.